649 matches found
CVE-2025-10133
The URLYar URL Shortner plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'urlyarshortlink' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
CVE-2025-10194 Shortcode Button <= 1.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Shortcode Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-10140 Quick Social Login <= 1.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Quick Social Login plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'quick-login' shortcode in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...
EUVD-2025-34552
The WP ViewSTL plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'viewstl' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...
CVE-2025-10139 WP BookWidgets <= 0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting
The WP BookWidgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bwlink' shortcode in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-11160
The WPBakery Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS module in all versions up to, and including, 8.6.1. This is due to insufficient input sanitization and output escaping of user-supplied JavaScript code in the Custom JS module. This makes...
CVE-2025-8561 Ova Advent <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Ova Advent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...
PT-2025-41932
Name of the Vulnerable Software and Affected Versions Centreon Infra Monitoring versions 23.10.0 through 23.10.28 Centreon Infra Monitoring versions 24.04.0 through 24.04.18 Centreon Infra Monitoring versions 24.10.0 through 24.10.13 Description The software contains a flaw related to improper...
CVE-2025-11197
CVE-2025-11197 concerns the Draft List plugin for WordPress, vulnerable to Stored Cross-Site Scripting via the drafts shortcode in all versions up to 2.6.1. The attacker must have contributor-level access or higher to inject scripts that execute when users load injected pages. Connected sources c...
CVE-2025-9560
CVE-2025-9560 relates to the WordPress plugin Colibri Page Builder (versions through 1.0.334). It describes a Stored XSS vulnerability in the colibri_newsletter shortcode due to insufficient input sanitization and output escaping. Exploitation requires authentication at contributor level or highe...
PT-2025-41646
Name of the Vulnerable Software and Affected Versions Enable Media Replace plugin for WordPress versions up to and including 4.1.6 Description The software is susceptible to Stored Cross-Site Scripting through the file modified shortcode. Insufficient input sanitization and output escaping on...
PT-2025-41643
Name of the Vulnerable Software and Affected Versions Draft List plugin for WordPress versions prior to 2.6.1 Description The software contains a flaw due to insufficient input sanitization and output escaping on user supplied attributes within the 'drafts' shortcode. This allows authenticated...
CVE-2025-60298
Novel-Plus up to 5.2.4 was discovered to contain a Stored Cross-Site Scripting XSS vulnerability via the /author/updateIndexName endpoint. This vulnerability allows authenticated attackers to inject malicious JavaScript code through the indexName parameter, which gets stored in the database and...
CVE-2025-61999 OPEXUS FOIAXpress stored XSS via logo image
OPEXUS FOIAXpress before 11.13.3.0 allows an administrative user to upload JavaScript or other content embedded in an SVG image used as a logo. Injected content is executed in the context of other users when they view affected pages. Successful exploitation allows the administrative user to perfo...
EUVD-2025-30313
Malicious code in bioql PyPI...
EUVD-2025-17927
Malicious code in bioql PyPI...
EUVD-2025-27128
Malicious code in bioql PyPI...
EUVD-2025-29168
Malicious code in bioql PyPI...
EUVD-2025-28467
Malicious code in bioql PyPI...
EUVD-2025-31693
Malicious code in bioql PyPI...